I have the latest version of AnyConnect installed, and KOS 6 with only the File AV, Mail AV and Proactive Defense modules installed, with the protection levels set to LOW.I do not have the Web AV, Anti-spy, Anti-hack, Anti-spam modules installed.

I also uninstalled the NDIS filter.

I have added all applications in the Trusted Zone from the Program Files\Cisco AnyConnect folder with both checkboxes checked.

This is a Windows Vista machine. Cisco Anyconnect works fine without Kaspersky.

I am at a complete loss as to what else I can possibly do to allow Cisco to work with Kaspersky installed. Does anyone have a solution to this?

Thanks for your help,

Greg.

Tybilly

28.05.2009 11:19

Hello,

Please precise what version (6.0.x.x) of KAV your are using and what are the troubles you meet with your Cisco applications.

I am having the same problem. I first noticed this issue in our first Windows 7 installation. (All of our other remote users have the ipsec Cisco client installed) I had the latest KAV installed (6.0.4.1212), and the latest Cisco Anyconnect client installed (2.4.0202) on the 64bit Windows 7 Enterprise. KAV is configured with File, Mail, Web antivirus, Proactive Defense, and Access control. Anti-spam and Anti-hacker are not installed. Anti banner and Anti dialer are disabled. Access control has no devices blocked, and disable autorun/autorun.inf checked.

In this configuration, The VPN client will connect to the firewall, allow you to log in but is unable to activate the virtual adapter to complete the connection process.I first contacted Cisco TAC support about this because I thought it was a Windows 7/Cisco specific issue. Cisco asked me to try uninstalling Kaspersky. When I uninstalled KAV, the Anyconnect client successfully set up the connection. When I re-installed KAV, The Anyconnect client was unable to establish the VPN connection.

In order to troubleshoot further and to see if Windows 7 had anything to do with the issue, I installed the Anyconnect client on a Windows XP (SP3) machine that did not yet have KAV on it. I was able to successfully establish a vpn connection. I then deployed KAV (6.0.4.1212) to that machine. I rebooted and allowed the KAV client to receive all its necessary updates. The vpn client was no longer able to establish a connection.

I will try the vpn connection on another machine that has the prior version of KAV on it to verify whether it is a MR4 issue (which is what I suspect). My guess is there is a new security feature that is preventing the VPN client from performing the actions it needs to. We know that KAV's firewall/intrusion detection are not the culprits because neither Greg nor I have those installed. Perhaps there's something in the Proactive Defense App Activity Analyzer. The trick is identifying it so we can modify our KAV policy to allow the VPN software to operate.

Thanks,JasonL

fdt93

21.10.2009 19:59

QUOTE(fdt93 @ 21.10.2009 10:32)

I will try the vpn connection on another machine that has the prior version of KAV on it to verify whether it is a MR4 issue (which is what I suspect). My guess is there is a new security feature that is preventing the VPN client from performing the actions it needs to. We know that KAV's firewall/intrusion detection are not the culprits because neither Greg nor I have those installed. Perhaps there's something in the Proactive Defense App Activity Analyzer. The trick is identifying it so we can modify our KAV policy to allow the VPN software to operate.

Actually, my guess was wrong. I just duplicated the problem on an XP machine with KAV 6.0.3.837. I guess I need to go over our protection policy to see what may be enabled that is blocking the vpn connection attempts. I can't find anything in the Kaspersky log files suggesting it was blocking anything.

JasonL

MikeKA

21.10.2009 21:08

I am also having the same issues with AnyConnect and our XP user base.

Not sure how much more I can add, but the Anyconnect client will fail with the latest Kasp installed on the XP box. Uninstalling Kaspersky fixes the issue with anyconnect. Re-installing brings the problem back.

I've run this through Cisco TAC as well and since the problem application seems to be Kaspersky, they couldn't provide any additional help.

I've removed the NDIS from the tcpip properties as well with no change.

The Cisco IPSEC client works without issue. I'm testing different items being enabled in the policy.... I'd be curious to know if anyone else has had any success...

I am currently experimenting with adding the AnyConnect binaries to the Trusted Zone. I'll post a reply if I find something that works.

JasonL

fdt93

22.10.2009 18:54

I have not had any luck with adding the AnyConnect app to the Trusted zone list. I eventually added every exe, dll, and sys file in the AnyConnect program directory to the Trusted list with the options of do not scan open files, do not restrict application activity, and do not scan encrypted traffic. I used the full path for each item. And I verified that the policy containing the trusted items was applied to my client. I have also verified that the Scan Encrypted Connections option on the Network Settings page is not selected.

fdt93

24.10.2009 20:14

This has been fixed with the help of Kaspersky tech support. We had to deselect Http SSL 443 from the monitored port list in Settings->Network->Port Settings.That was it. Once I did that, the Anyconnect client worked.

Thanks Kaspersky tech support.

AnonymousFreak

19.10.2010 12:19

QUOTE(fdt93 @ 24.10.2009 09:14)

This has been fixed with the help of Kaspersky tech support. We had to deselect Http SSL 443 from the monitored port list in Settings->Network->Port Settings.That was it. Once I did that, the Anyconnect client worked.

Thanks Kaspersky tech support.

Wanted to say thanks for posting the answer! Got here thanks to Google, and your answer was right on the money to resolve my issue.